Changing IKE and IPSEC parameters

‎02-15-201001:27 PM

I'm trying to figure out which IKE policy and ipsec transform-set and crypto-maps are used for cert-based RAPs. The two IKE policies configured on a controller by default are configured for pre-share key, so it can't be either of those, but there isn't one even configured for rsa sigs. So what IKE policy is it using?

Also, I want to enable PFS (w/ DH group 2) in whatever crypto-map is used for IPSEC. There's one map, default-dynamicmap, but if I configure "set pfs group2" in there, and issue a "show crypto ipsec sa" the output shows, "PFS: No".